Wireshark-users: Re: [Wireshark-users] question about fancy DHCP display filtering
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Tue, 15 May 2007 11:55:35 -0700
On Tue, May 15, 2007 at 05:37:18PM +0000, Stefan Puiu wrote:

> Thanks for confirming that. Then I've another question: how can I look 
> for all DHCP packets where there is an option with value '0x3058' (in 
> hex), for example? I can't seem to grasp how the "bootp.options.value 
> == " filter is supposed to work - I've tried:
> 
> * "bootp.options.value == 0x3058" (field turns red, invalid format)
> * "bootp.options.value == 30 58" (field turns green, however, all
> packets are matched, even if that is not correct)
> 
> This would at least in my particular situation - I'm trying to find 
> some DHCP clients which send some bogus options.

Try putting a colon between each hex byte: bootp.options.value == 30:58

The bootp.options.value is a type "BYTES" which means it is just raw 
hex values separated by colons.  You can right click on one of the 
values you see and select Apply As Filter -> Selected and see how it is 
formatted in the filter entry box.


Steve